As we look ahead to 2013, cybercrime continues to be a fact of life for financial institutions.
The year ahead is likely to bring more of it – counterfeiting, cybersquatting, digital piracy, phishing. Most banks are aware that cybercriminals are attacking them around the clock, but with the online banking boom, they're exposed on even more fronts and at deeper levels.
What specifically are these threats? Moving into 2013, there's a new level of attack emerging through the proliferation of cutting-edge methods of digital payment. This involves more directed attacks that could culminate, effectively, in cyberterrorism, where an organized hacking group can cause mass chaos without necessarily stealing anything.
Bringing down large chunks of the Internet – as happened during recent distributed denial of service (DDoS) attacks , wherein a group claiming Middle East ties targeted a range of U.S. banks, including Bank of America, Wells Fargo and JPMorgan Chase – puts fundamental freedoms at risk. This includes the freedom to access our own services online as well as the loss of convenience that's a natural cost of increased security. Then there's the perceived threat to our online freedom from legislative responses to cybercrime.
In, addition, there's also been talk of "Code Red," an unexploded virus waiting to go off in the Department of Defense's computer system, and a series of cyberattacks on multiple key government infrastructures that Defense Secretary Leon Panetta is calling "cyber-Pearl Harbor."
There's good reason to connect the lesser threats of fraud, DDoS attacks and phishing at financial institutions to the greater societal threat of cyberterrorism. It's been observed, through careful tracking of the code associated with these larger crimes, that those groups responsible got their start by perpetrating smaller-scale cybercrimes, such as phishing bank and stock trading accounts.
In the world of cybercrime, volume is what matters. We've begun to see exploits against the newest forms of security access, such as multifactor identification. Cybercriminals, like our digital devices, just keep getting smarter. Even though banks have their own networks, they already face and will continue to battle against a volume-related threat to their systems. Enough service requests can jam the system to the point of shutdown, as the rising tide of DDoS attacks has demonstrated. Cybersquatters commit these attacks by making lots of "half-requests" that require timed responses from the bank.
What we will see going into 2013 is more of these attacks, combined with more sophistication and brute power. Smaller regional banks are likely targets, as they are generally less equipped to adequately withstand attacks. The cybercriminals behind these acts hope to cause a slowdown or, better yet, a complete stoppage of our online freedoms and normal day-to-day Internet activity, starting with online banking.
On a more immediate and rapidly proliferating front, mobile and online banking have taken a relatively controllable level of personal data out of the vault and onto the streets. Criminals will certainly go after this data as merchants, financial services institutions and consumers alike experiment and learn about how these new technologies behave in the public domain. Newer, more cutting-edge payment forms represent increased vulnerability for banks, first and foremost.
According to a report released in 2012 by CyberSource Corp., the annual cost of online fraud rose to $3.4 billion. And in a 2011 study on online infringement, "Technical report: An Estimate of Infringing Use of the Internet," from our U.K.-based research group estimated that nearly 24% of online traffic is criminal in nature.